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DETAILED ACTION 

1. This non-final Office action is in reply to the response to Office Action filed on 7 July 2008. 

2. No claims have been amended. 

3. Claims 1-30 are currently pending and have been examined. 

4. This office action has been made non-final in order to address a new grounds of rejection under 
35U.S.C. 101. 

Response to Arguments 

5. Applicant's arguments filed 7 July 2008have been fully considered but they are not persuasive. 

6. Applicant submits that Callahan (U.S. Pub. No. 2003/0229525) does not teach or suggest in 
Claim 1 : (1j assessing an impact on the enterprise from a degradation of the services from the 
outside service provider [see Remarks page 11, first paragraph], and (2) automatically 
determining a criticality of the outside service provider in response to the assessment [see 
Remarks page 1 1 , first paragraph]. 

7. Applicant submits that Callahan in view of Bott (U.S. 6,856,973) does not teach or suggest in 
Claim 2: (3) identifying countries in which the outside service provider operates, and determining 
a country impact risk associated with the countries, wherein the step of automatically determining 
the criticality is also in response to the country impact risk [see Remarks page 13, first 
paragraph]. 

8. With regard to argument (1), the Examiner respectfully disagrees. Callahan teaches assessing 
an impact (impact value) on the enterprise from a degradation (perceivable threats, damage that 
could occur, insufficient to ensure compliance in an area represented by the question) of the 
services from the outside service provider (Third Party Service Provider, the impact is less critical 
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than if account balances, account numbers, and transactions were revealed) (see at least 
paragraphs 0025-0028 and 0060). 

9. With regard to argument (2), the Examiner respectfully disagrees. Callahan teaches 
automatically determining a criticality of the outside service provider in response to the 
assessment the impact is less critical than if account balances, account numbers, and 
transactions were revealed, (overall risk rating, assessment) (see at least paragraphs 0060 and 
0069-0071). 

10. With regard to argument (3), the Examiner respectfully disagrees. Callahan in view of Bott 
teaches, identifying countries in which the outside service provider operates and determining a 
country impact risk (country risk assessment system, volatility risk) associated with the countries, 
wherein the step of automatically determining the criticality is also in response to the country 
impact risk (drastic action is required, drastic measures) (see at least column 7, line 39 through 
column 8, line 22 and Figure 4). 

Claim Rejections - 35 USC § 101 

11. 35 U.S.C. 101 reads as follows: 

Whoever invents or discovers any new and useful process, machine, manufacture, or 
composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, 
subject to the conditions and requirements of this title. 

12. Claims 1-18 are rejected under 35 U.S.C. 101 because the claimed invention is directed to non- 
statutory subject matter. 

13. Claims 1-18 are rejected under 35 U.S.C. 101 based on Supreme Court precedent, and recent 
Federal Circuit decisions, the Office's guidance to examiners is that a § 101 process must (1) be 
tied to another statutory class (such as a particular apparatus) or (2) transform underlying subject 
matter (such as an article or materials) to a different state or thing. Diamond v. Diehr, 450 U.S. 
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175, 184 (1981); Parker v. Flook, 437 U.S. 584, 588 n.9 (1978); Gottschalk v. Benson, 409 U.S. 
63, 70 (1972); Cochrane v. Deener, 94 U.S. 780,787-88 (1876). 

An example of a method claim that would not qualify as a statutory process would be a claim that 
recited purely mental steps. Thus, to qualify as a § 101 statutory process, the claim should 
positively recite the other statutory class (the thing or product) to which it is tied, for example by 
identifying the apparatus that accomplishes the method steps, or positively recite the subject 
matter that is being transformed, for example by identifying the material that is being changed to 
a different state. Here, applicant's method steps, fail the first prong of the new Federal Circuit 
decision since they are not tied to another statutory class and can be preformed without the use 
of a particular apparatus. Thus, claims 1-18 are non-statutory since they may be performed within 
the human mind. 

Claim Rejections - 35 USC § 102 

14. The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for 
the rejections under this section made in this Office action: 

A person shall be entitled to a patent unless - 

(e) the invention was described in (1) an application for patent, published under section 122(b), 
by another filed in the United States before the invention by the applicant for patent or (2) a 
patent granted on an application for patent by another filed in the United States before the 
invention by the applicant for patent, except that an international application filed under the treaty 
defined in section 351(a) shall have the effects for purposes of this subsection of an application 
filed in the United States only if the international application designated the United States and 
was published under Article 21(2) of such treaty in the English language. 

15. Claims 1, 4-11, 15-19, 21-25, 29, and 30 are rejected under 35 U.S.C. 102(e) as being 
anticipated by Callahan et al (Callahan) (U.S. Pub. No. 2003/0229525). 



With regard to Claim 1 , Callahan teaches a method and system comprising: 
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• identifying outside service provider information that describes the outside 
service provider (provide a population of all third-party providers and risk- 
rank them) (see at least paragraph 0028). 

• storing the outside service provider information in a database (Assessment 
templates, 612, are also stored in fixed storage) (see at least paragraph 
0043). 

• identifying resource information that describes resources of the enterprise 
associated with services provided by the outside service provider (the type of 
data shared between the financial services company and the provider) (see 
at least paragraph 0028). 

• storing the resource information in the database (Assessment templates, 
612, are also stored in fixed storage) (see at least paragraph 0043). 



• assessing an impact (impact value) on the enterprise from a degradation 
(perceivable threats, damage that could occur, insufficient to ensure 
compliance in an area represented by the question) of the services from the 
outside service provider (Third Party Service Provider, the impact is less 
critical than if account balances, account numbers, and transactions were 
revealed) (see at least paragraphs 0025-0028 and 0060). 

• storing the assessment in the database (Assessment templates, 612, are 
also stored in fixed storage) (see at least paragraph 0043). 

• automatically determining a criticality of the outside service provider in 
response to the assessment the impact is less critical than if account 
balances, account numbers, and transactions were revealed, (overall risk 
rating, assessment) (see at least paragraphs 0060 and 0069-0071). 
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• storing the criticality in the database (Assessment templates, 612, are also 
stored in fixed storage) (see at least paragraph 0043). 

• providing status data from the database (SQL database) (see at least 
paragraph 0055), wherein the status data comprises at least one of a status 
of: 

o the resource information 

o the assessment (updated to change the status of the 

assessment) (see at least paragraph 0055). 
o the criticality (critical) (see at least paragraph 0060). 



With regard to Claim 19, Callahan teaches a system, interface, database server, and 
application server (Microsoft's Internet Information Services) (see at least paragraph 0047). 
Claim 19 is further substantially similar to claim 1 and is rejected for the same rationale as set 
forth above. 

With regard to Claims 4 and 21, Callahan teaches wherein at least one of the resources 
of the enterprise includes at least one software application employed by the enterprise 
(Application Software) (see at least paragraph 0029). 

With regard to Claims 5 and 22, Callahan teaches: wherein the step of assessing the 
impact (threat value, impact value) on the enterprise further comprises at least one of: 

• assessing an impact on external customers (customer's name) (see at least 
paragraph 0060) of the enterprise resulting from the degradation of the 
services from the outside service provider. 

• assessing an impact on internal customers (of other areas of the enterprise) 
(see at least paragraph 0025) of the enterprise resulting from the degradation 
of the services from the outside service provider. 
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• assessing a financial impact (account balances, account numbers, and 
transactions) resulting from the degradation of the services from the outside 
service provider (see at least paragraph 0060). 

• assessing an allowable time period that the degradation of the services from 
the outside service provider can last. 

• assessing an impact on regulatory obligations (monitoring compliance with 
the GLBA [Gramm-Leach-Bliley Act (GLBA), paragraph 0002]) resulting from 
the degradation of the services from the outside service provider (see at least 
paragraph 0020). 

With regard to Claims 6 and 23, Callahan teaches assigning specific people (data 
guardian) to fulfill roles with respect to management of a relationship with the outside service 
provider, wherein the roles include at least one of information owner and information risk 
manager (see at least paragraph 0034). 

With regard to Claims 7 and 24, Callahan teaches receiving acknowledgements of the 
acceptances of the assignments from the specific people (obtains a sign-off from the approver) 
(see at least paragraph 0034). 

With regard to Claims 8 and 25, Callahan teaches assigning alternate people to fulfill the 
roles (one or more re-viewers or "data guardians") (see at least paragraph 0026). 

With regard to Claim 9, Callahan teaches wherein the role of the information owner 
comprises at least one of: 

• obtaining from the outside service provider copies of financial and non- 
financial audit reports (audits) (see at least paragraph 0024). 



Application/Control Number: 10/664,283 Page 8 

Art Unit: 3624 

• obtaining documentation describing the outside service provider's 
procedural, physical access, logical access and business recovery controls 
(emphasizing those that have access to or who manipulate, store, transmit or 
destroy the company's consumer customer information) (see at least 
paragraph 0028). 

• requiring notification by the outside service provider of any organization, 
security-related and other changes affecting the availability, confidentiality, or 
integrity of the services provided by the outside service provider. 

• initiating the risk assessment process (The process starts at 201) (see at 
least paragraph 0026). 

With regard to Claim 10, Callahan teaches wherein the role of information risk manager 
(data guardian) comprises at least one of: 

• maintaining an updated list of outside service providers used by the 
enterprise (the database is kept updated) (see at least paragraphs 0054- 
0056). 

• allocating resources for the outside service provider assessment process. 

With regard to Claims 1 1 and 30, Callahan teaches wherein all of the steps of the method 
are facilitated using a software application (risk assessment module), the method further 
comprising: 

• generating data input screens for accepting input from a user (screens that 
show detail of how comments are entered and risk values are established) 
(see at least paragraph 0059). 

• providing drop down boxes on the data input screens in order to facilitate 
selection of predefined information (a drop-down box, accessed from the tab, 
displays that progress) (see at least paragraph 0058). 
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With regard to Claims 15 and 29, teaches providing status data on the enterprise level; 
providing status data on a line of business level; and providing status data on a department level 
(handle assessments at whatever level a business unit or the enterprise wants, executives, 
administrators, senior managers) (see at least paragraph 0032). 

With regard to Claim 16, Callahan teaches wherein the enterprise has policies and 
procedures (policies and procedures) for protecting the integrity of the provision of services 
(Identify perceivable threats, evaluate the likelihood of those threats), the method further 
comprising assessing the compliance (compliance) of the outside service provider to the policies 
and procedures (see at least paragraph 0025). 

With regard to Claim 17, Callahan teaches developing a corrective action plan if the 
outside service provider is not in compliance, the corrective action plan containing the steps 
required to bring the outside service provider into compliance (The assessor works through 
whatever corrective action needs to be taken on the assessment and re-submits it to the data 
guardian) (see at least paragraph 0057). 

With regard to Claim 18, Callahan teaches obtaining an acknowledgement by 
management of the enterprise of risk associated with the non-compliance of the outside service 
provider (non-compliance is indicated based on a response or group of responses) (see at least 
paragraph 0023). 

Claim Rejections - 35 USC §103 

16. The following is a quotation of 35 U.S.C. 103(a) which forms the basis for all obviousness 
rejections set forth in this Office action: 
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(a) A patent may not be obtained though the invention is not identically disclosed or described as 
set forth in section 1 02 of this title, if the differences between the subject matter sought to be 
patented and the prior art are such that the subject matter as a whole would have been obvious 
at the time the invention was made to a person having ordinary skill in the art to which said 
subject matter pertains. Patentability shall not be negatived by the manner in which the invention 
was made. 

17. Claims 2, 3. 12-14. 20, and 26-28 are rejected under 35 U.S.C. 103(a) as being unpatentable 
over Callahan as applied to claims 1, 4-11, 15-19, 21-25, 29, and 30 above, in view of Bott (U.S. 
6,856,973) and in further view of Borgia et al (Borgia) (U.S. Pub. No. 2002/0129221 ). 

With regard to Claims 2 and 20, Callahan does not specifically teach identifying countries 
in which the outside service provider operates and determining a country impact risk associated 
with the countries, wherein the step of automatically determining the criticality is also in response 
to the country impact risk. Bott teaches identifying countries in which the outside service provider 
operates and determining a country impact risk (country risk assessment system, volatility risk) 
associated with the countries, wherein the step of automatically determining the criticality is also 
in response to the country impact risk (drastic action is required, drastic measures) in analogous 
art of assessing creditworthiness of a country for the purposes of, "[ujnits of government could 
use their legal empowerment to delay or discontinue transactions" (see at least column 7, line 39 
through column 8, line 22 and Figure 4). 

It would have been obvious to one of ordinary skill in the art at the time of the invention to 
combine the volatility risk of that country as taught by Bott with the integrated compliance 
monitoring method of Callahan. One of ordinary skill in the art would have been motivated to do 
so for the benefit of knowing an updated status of a country's ability to maintain a strong 
economic status (Bott, column 8, lines 10-22). 

With regard to Claim 3, Callahan does not specifically teach collecting economic 
condition information with respect to the country; storing the economic condition information in the 
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database; collecting social condition information with respect to the country; storing the social 
condition information in the database; collecting political condition information with respect to the 
country; add storing the political condition information in the database. Bott teaches collecting 
economic (economic) condition information with respect to the country; storing the economic 
condition information in the database (creating a database of economic scores for the country) 
(see at least column 1 , lines 36-45); collecting social condition (social) information with respect to 
the country; storing the social condition information in the database; collecting political condition 
information with respect to the country; add storing the political condition (political) (see at least 
column 4, lines 64-67 and column 5, lines 1-7) information in the database in analogous art of 
assessing creditworthiness of a country for the purposes of, "[f]actors that may interfere with an 
ability or willingness of a country and its economic agents to honor their financial or contractual 
obligations to non-resident owners...) (see at least column 5, lines 2-7). 

It would have been obvious to one of ordinary skill in the art at the time of the invention to 
combine the economic and risk factors of a country as taught by Bott with the integrated 
compliance monitoring method of Callahan. One of ordinary skill in the art would have been 
motivated to do so for the benefit of implementing a country risk assessment system (Bott, 
column 4, lines 64-67). 

With regard to Claims 12 and 26, Callahan and Bott do not teach assessing a recovery 
plan of the outside service provider. Borgia teaches assessing a recovery plan (plan accessible to 
a crisis team for recovery) of the outside service provider (see at least paragraph 0043) in 
analogous art of tracking compliance with policies related to management of risk for the purposes 
of "...an information policy provides the requirements for disaster recover preparedness" (see at 
least paragraph 0043). 

It would have been obvious to one of ordinary skill in the art at the time of the invention to 
combine the disaster recover preparedness plan as taught by Borgia with the economic and risk 
factors of a country as taught by Bott and the integrated compliance monitoring method of 
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Callahan. One of ordinary skill in the art would have been motivated to do so for the benefit of 
un-interrupted business process due to a backup recovery plan (Borgia, paragraph 0043). 

With regard to Claims 13 and 27, Callahan and Bott do not teach questioning the 
developer of the plan as to whether it has required elements; and developing a corrective action 
plan to address missing required elements. Borgia teaches questioning the developer (risk 
management assessor) of the plan as to whether it has required elements (consisting of a series 
of questions that must be answered with appropriate responses to product compliance) and 
developing a corrective action plan to address missing required elements (reviews areas of non- 
compliance and the associated risk acknowledgements to provide approval if appropriate) in 
analogous art of tracking compliance with policies related to management of risk for the purposes 
of " having an approved process or plan in place to achieve compliance" (see at least paragraphs 
0043-0057). 

It would have been obvious to one of ordinary skill in the art at the time of the invention to 
combine the disaster recover preparedness plan as taught by Borgia with the economic and risk 
factors of a country as taught by Bott and the integrated compliance monitoring method of 
Callahan. One of ordinary skill in the art would have been motivated to do so for the benefit of 
increased awareness and corrective measures for missing elements or non-compliance with a 
business institution (Borgia, paragraphs 0043-0057). 

With regard to Claims 14 and 28, Callahan and Bott do not teach an alternate site for 
providing the services; and a business continuity plan for resumption of the services at the 
alternate site. Borgia teaches an alternate site for providing the services (may depend upon such 
factors as whether information is stored off site on a regular basis) and a business continuity plan 
for resumption of the services at the alternate site (Once risk is acknowledged, a plan for 
reducing the risk or bringing the project into compliance can be formulated) in analogous art of 
tracking compliance with policies related to management of risk for the purposes of "The rating for 
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disaster recovery readiness may depend upon such factors as whether information is stored off 
site on a regular basis, intervals in which system backups are made, robustness of computer 
recovery systems (see at least paragraph 0017). 

It would have been obvious to one of ordinary skill in the art at the time of the invention to 
combine the disaster recover preparedness plan as taught by Borgia with the economic and risk 
factors of a country as taught by Bott and the integrated compliance monitoring method of 
Callahan. One of ordinary skill in the art would have been motivated to do so for the benefit of 
survivability due to a disaster by having an alternate backup (Borgia, paragraph 0017). 

Conclusion 

18. The following prior art made of record and not relied upon is considered pertinent to applicant's 
disclosure: 

• Gopinathan et al (U.S. 6,330,546) discloses risk determination and management using 
predictive modeling and transaction profiles for individual transaction entities. 

Any inquiry concerning this communication or earlier communications from the examiner should 
be directed to THOMAS MANSFIELD whose telephone number is (571)270-1904. The examiner can 
normally be reached on Monday-Thursday 8:30 am-6 pm, alt. Fridays. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's supervisor, 
Bradley Bayat can be reached on 571-272-6704. The fax phone number for the organization where this 
application or proceeding is assigned is 571-273-8300. 

Information regarding the status of an application may be obtained from the Patent Application 
Information Retrieval (PAIR) system. Status information for published applications may be obtained from 
either Private PAIR or Public PAIR. Status information for unpublished applications is available through 
Private PAIR only. For more information about the PAIR system, see http://pair-direct.uspto.gov. Should 
you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) 
at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative 
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or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272- 
1000. 

IT. M.l 

Examiner, Art Unit 3624 

10 October 2008 
Thomas Mansfield 



/Bradley B Bayat/ 

Supervisory Patent Examiner, Art Unit 3623 



